Hipaa Compliance for Counselors: 8 Things Your Practice Should be Doing

In 2017, over 20 million dollars were paid out because of HIPAA violations, and that is just a partial list since 2017 violations are still being processed.

When considering HIPAA, many think of surgical doctors and hospital staff but mental health counselors also need to be aware of HIPAA laws and how to stay compliant.

Whether you are a social worker or a psychiatrist, if you have patients or people that you discuss personal information with as part of your job, it is non-negotiable that you learn how to protect that information.

Let’s take a look at some things you can do to make sure you and your practice stay compliant.

HIPAA Compliance for Mental Health Counselors

HIPAA, the health insurance portability and accountability act, has been around for just over 20 years, but it has completely reshaped the way medical records and treatment are handled. 

While patient information is certainly part of the protection of HIPAA, the way records are transferred and stored is also a critical component. Being careful is not enough, you need to know the exact protocols to follow, otherwise, it could cost you or your practice millions.

So, how do you stay compliant as a mental health counselor? There are a few important things you should be doing.

1. Educate Yourself

The first step is to learn exactly what HIPAA protects. As stated before, it protects patient information and the way it is transferred and stored, but what are the exact requirements? 

There are official education materials and free training provided by the government.

As a mental health counselor, you should learn about specific things you should be doing for your practice, but much of the knowledge is universal. Staying current with updates to HIPAA and the best practices to stay compliant is also key to avoiding a HIPAA violation lawsuit.

2. Train Others

Assuming you have employees working at your practice, it isn’t enough for you to be the only one knowledgeable of HIPAA and what it means. Assuming everyone in your office has access to patient information is the safest way to proceed.

HIPAA certification isn’t necessary, but it may be worth it to make it a requirement in your practice. While there isn’t an official certification, having a required training to complete ensures your employees are following the proper steps.

If you have a large practice, consider identifying one of your employees as a training focal. This takes a burden off of yourself and makes sure you have a bonafide expert on staff.

3. Use the Proper Forms

Get ready for new paperwork. Having signed forms from both your patients and employees is some of the best protection your practice can have from HIPAA violations.

Notice of privacy practices, disclosure agreements, and logs are just some of the forms you will need to implement. Having signatures on these forms shows that all information was properly conveyed and agreed to.

For mental health professionals, knowing exactly how your patients are protected will help you determine your forms. 

You will need to check the specific requirements for both your practice and the state in which you practice in. Every job and every local government does things a little differently.

4. Physical Security

Regardless of training or signed documents, things can happen. Protecting your hard copies of patient information and all incoming and outgoing communications is critical to being compliant.

Your patient files should be kept private and only accessible by those who need it. Locking file cabinets and, if your office space or job makes it possible, locked rooms specifically for the storage of patient information.

Fax machines and printers are dangerous beasts. Leaving print-outs sitting there is just asking for a HIPAA violation. Consider implementing procedures for how to handle these devices and even setting them up in strategic locations away from prying eyes is useful.

5. Digital Security

This is the big reason why HIPAA was put in place. In 1996 when it was created, only a fraction of the information we use today was traveling through electronic channels.

Now, everything is digitized and electronic. Patient information, treatment logs, and vitals are emailed back and forth and stored on servers. Unless your practice is off the grid, you’ll need to make sure you are compliant.

You and your employees need to learn about data privacy laws now. These laws are getting tougher all the time as people become more cautious about their personal data being transmitted.

Your computers and servers should be secured with virus protection and encrypted data storage. Only highly vetted and trustworthy communication programs should be used. 

6. Transparency

Having a patient be surprised about how their data is handled is a quick way to receiving a HIPAA violation lawsuit. Beyond the forms that were already mentioned, having your procedures clearly posted for all to see is a best practice.

A paper trail and data trail of all logs and communication is also a way to protect yourself. If you can account for every step that a file has taken along the way, you’ll be better prepared for a question about possible HIPAA violations.

Requirements and HIPAA laws should also be posted for all employees to easily see. Put these in high traffic areas such as break rooms and near confidential file storage.

7. Your Business Associate

As a solo employee or individual, you may not have many dealings with outside contractors or vendors, but the occasional situation may still occur. Larger practices will certainly have vendors or contractors that they work with.

Any company or person that you do business with is considered a business associate, and they must also be aware of and follow HIPAA law.

A common occurrence is having IT professionals who perform computer repair and maintenance. These workers should be aware of HIPAA compliance and careful logs should be maintained. 

8. Mental Health Counselor Specifics

Most issues that you as a mental health counselor will need to address are the same that any medical staff member will as well. The key differences for you are patient notes.

Psychotherapy notes or progress notes do not need to be protected by the same HIPAA laws but you should consider keeping them separate and secured using the same procedures anyway.

There is no such thing as being too safe when it comes to avoiding HIPAA violations.

Protect Your Data

There is a lot to do to become HIPAA compliant, but it removes a lot of stress and potentially catastrophic issues from you and your practice. Security of personal data is critical.

Mental health counselors, whether an individual or a practice, are at risk for major lawsuits that can cripple or even end your career or business.

As your practice grows and your technology expands, make sure you remain compliant. Contacting data and security experts for your HIPAA data privacy needs is simply a smart business decision. Protect your patient’s data now.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top